Skip to content

CRA

Cyber Resilience Act

Cybersecurity of networked devices

The Cyber Resilience Act (CRA) adopted by the Council of EU Home Affairs Ministers in 2024 will impose new minimum requirements on manufacturers of networked devices in terms of cybersecurity.

Weißer Saugroboter fährt von links in das Bild hinein

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) sets out binding requirements for the cyber security of networked devices placed on the market within the EU with the aim of creating a uniform security standard for digital hardware and software products on the European market.

Smart home device in a living room

Who is affected?

The European Union's Cyber Resilience Act aims to improve the cyber security of products with digital elements. Manufacturers, importers and distributors of such products that are placed on the market in the EU are affected. This includes a wide range of products, from IoT devices to software applications that are connected to the internet or have digital functions.

The Act sets out cybersecurity requirements that these products must fulfil before they can be sold in the EU. These include security measures that must be maintained throughout the entire life cycle of the product, as well as the obligation to disclose security vulnerabilities and provide security updates.

Companies that manufacture, import or distribute such products must ensure that their products comply with the standards set out in the Cyber Resilience Act in order to avoid legal and financial consequences.

However, only a few types of products are exempt from the CRA. These include, for example, non-commercial open source software products.

Risk assessment

The CRA defines product categories based on their cyber risk

Default category

The "default category" includes products with digital components that have a low cyber risk. These include consumer products such as games, software and devices for image processing.

  • Tests: Self-assessment by the manufacturer
  • Security updates and vulnerability management are required

Important Class I Products

The "Important products I" category includes products that contain a security function that in turn affects other products. These include, for example, browsers, microcontrollers, microprocessors, password managers, operating systems, smart homes and virtual assistants.

  • Tests: Certification by a conformity assessment body (CAB)
  • Regular security checks and updates are required2

Important Class II Products

The category of "Important Products Class II" includes products with digital components that fulfil a function that poses a significant risk. This risk can damage a large number of these products or disrupt the health and safety of users through manipulation. These products include, for example, firewalls, systems for attack detection and prevention, tamper-proof microcontrollers and processors.

  • Tests: Intensive testing by a CAB
  • Detailed risk assessments, regular security checks and immediate responses to vulnerabilities are required

Critical Products

The category of "critical products" includes products that represent a critical dependency for companies affected by NIS-2 (Article 3 of Directive (EU) 2022/2555). These are products that could lead to serious interruptions or disruptions in services or supply chains if they malfunction. These include, for example, smart cards and SEs, smart meter gateways, hardware devices with security boxes

  • Mandatory conformity assessment and certification by a certification body apply here

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin
To the consulting services Contact us
Goal achieved?

We check that

TÜV Informationstechnik I Essen
To the testing offers Contact us

Requirements and current information

What does the CRA entail?

The CRA contains new minimum requirements for the safety of connected devices. In future, all connected products that are placed on the market within the EU must bear the CE mark. This visibly proves to the outside world that the labelled product fulfils the requirements of the CRA.
 

Requirements imposed on manufacturers include:

  • Consideration & implementation of cyber security over the entire product life cycle (planning, development, production, operation)
  • Documentation of all cybersecurity risks
  • Reporting cybersecurity incidents to both ENISA and affected users
  • Ensuring that potential vulnerabilities are effectively addressed over the expected product life cycle (maximum 5 years)
  • Provision of security updates for at least 5 years
  • Clear & understandable operating instructions for products with digital elements

What is the current status?

The CRA was adopted by the Council of EU Home Affairs Ministers on 10 October 2024 and published in the Official Journal of the European Union on 20 November 2024 as Regulation (EU) 2024/2847.

Deadlines for implementation:

  • 10 December 2024: Entry into force of the CRA
  • 11 June 2026: Chapter IV (Notification of conformity assessment bodies) enters into force
  • 11 September 2026: Manufacturers are obliged to inform national authorities and ENISA about actively exploited vulnerabilities in their products (reporting obligations).
  • 11 December 2027: All CRA requirements apply from this date. This means that all connected products placed on the market within the EU must bear a CE mark.